Future Chrome version may choose your passwords, and change them when you’ve been hacked

Google Chrome developers are working on a system to randomly generate user …

Mockup of a potential future version of Chrome which would auto-generate passwords

Google's Chrome development team is working on a system to automatically generate passwords, which would help users secure their online identities with passwords that would be diversified across different sites, and are randomized and thus harder to guess. Detailed in developer documentation on the Chromium Project site, the system would detect account sign-up pages and "add a small UI element to the password field" giving the user the option of letting Chrome manage the password for them.

Initial versions of the system would create passwords on an individual basis, at the user's request. But Google's development team states that "At some point in the future it might also be possible for us to automatically change all of a user's passwords when we realize that their account is hijacked." The developer documentation notes that the feature would make Google "a higher value hijacking target," than it already is, although "Google is already a high value target so this shouldn't change much."

Chrome can already store passwords, a common feature in modern browsers, and it syncs them across computers, with the passwords encrypted in transit and at rest in Google data centers. The idea of auto-generating passwords is not new, either. Password management software such as 1Password and LastPass can already generate passwords and automatically input them into Web forms. But these tools cost money and require additional software downloads. Although it's not clear when it will become available, Google's scheme would make storing and generating passwords a pre-installed feature of the browser.

The first challenge noted by the Chrome development team is detecting sign-up pages, which is accomplished by looking for elements such as "an account name field and two password fields." Next, the Chrome password generator must come up with a secure password that meets the site's requirements—many sites require digits, special characters or certain lengths. Because the password generator may choose a password that doesn't meet the site's requirements, the user is given a chance to review the suggested password before selecting it.

"If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password," the Chromium development document says. "The reason we don't just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites. So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn't work."

The Chromium team is still looking for a "way to authenticate to the browser to enable this feature," and will have to find a workaround for sites that have autocomplete turned off.

"Any website that has autocomplete turned off will not be able to be protected," the document states. "Going by current phishing attacks, this means that 40-70% of phishing pages can't be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites."

How much do you trust Google?

Google is often criticized for invading users' privacy, as the company makes much of its revenue by serving up personalized ads to users based on their Web browsing habits and even the contents of their e-mail. However, the development of technology to generate more secure passwords seems like a good-faith effort to protect users from online attacks, and isn't so far removed from the already-existing practice of browsers storing passwords.

Google's password-generator will likely be appealing to many because of the sheer convenience of it. But users will have to decide for themselves just how much of their online activities they want to trust with Google.

In the long run, Chrome developers say the solution should be browser sign-in coupled with the OpenID authentication standard. However, "getting most sites on the Internet to use OpenID will take a while," the Chrome team states. "In the meantime it would be nice to have a way to achieve the same affect of having the browser control authentication." Since many people re-use passwords across sites, randomization will go a long way toward better security, making it harder for attackers to steal a user's entire online identity.

Gee, that looks a lot like [https://addons.mozilla.org/en-US/firefox/addon/password-hasher/]Password Hasher for Firefox. I have it installed, and use it sometimes, but it's not a full solution. I do like the master password though, as the seed for the hash value + domain.

Like the article points out, what if a site can't take certain letters, or has to have so many characters or not too many. It's not perfect.

I'm already using this to generate some pseudo random passwords and this seems like basically the same approach just better integrated (well the first part that is, I really don't like the second part - I use more than one browser after all and would like them to continue working).

I'm already using this to generate some pseudo random passwords and this seems like basically the same approach just better integrated (well the first part that is, I really don't like the second part - I use more than one browser after all and would like them to continue working).

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

This looks like Google muscling in on LastPass's and 1Password's turf.

Chrome already syncs a hell of a lot of stuff. This isn't the most farfetched idea. I use 1Password, and I need to use Dropbox to sync it across machines. I use Dropbox for plenty of other things, so this is hardly an inconvenience. But I've yet to get my wife or parents onto it because it requires multiple pieces. (And 1Password isn't free.)

But Chrome is free and appears to be a one-stop shop. I'm trying to think of a reason this isn't a good idea.

Yeah, I want Google to go change my passwords for me. No thanks. I have 1Password on all my devices, and it's actually secure and doesn't spy on what I do online. And if I'm hacked I want to know independent of Google what all my new passwords are.

I'm already using this to generate some pseudo random passwords and this seems like basically the same approach just better integrated (well the first part that is, I really don't like the second part - I use more than one browser after all and would like them to continue working).

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

You're a senior IT reporter at ars, and you've never heard of GRC.com?

I'm already using this to generate some pseudo random passwords and this seems like basically the same approach just better integrated (well the first part that is, I really don't like the second part - I use more than one browser after all and would like them to continue working).

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

You're a senior IT reporter at ars, and you've never heard of GRC.com?

Seriously?

Are you being sarcastic? Get off your high horse. GRC is hardly the only place to generate long / secure machine passwords (and GRC's cache is with something else, you know, SPINRITE, but oh, you should know that since you know everything).

LastPass has already solved this correctly. Google will not. LastPass caches your encrypted passwords on their server and syncs them to your multiple browsers. LastPass cannot know your passwords because they are encrypted before they are sent to LastPass. Google will know your passwords. When Google loses your passwords, you will lose everything. Google will lose nothing. Google will never be able to figure out how to "change all your passwords". With LastPass, you never need to.

OpenID solves nothing. It simply makes it easier to steal your one OpenID. Facebook Connect or any other cross-site logon has the same problem.

Google is now so big that the law of lowest common denominator means that they will continue to do these sort of Stupid Things that years ago would have been stopped before they were published.

no mention of keepass (www.keepass.info) which is an open source password manager that can also generate passwords given any password requirements?

I personally like to generate random user names using: http://www.randomwordmachine.com/and passwords using keepass. I store the password database in my dropbox folder, and use "key files" that are not in drop box.

Passwords are such a broken system of security. Unfortunately, anything else takes major revamping of the very way the Web operates. Somehow, Chrome changing my passwords for me doesn't make me feel anymore secure. It's not like Google gets everything right all the time. Aren't I suppose to know what my own passwords are?

LastPass has already solved this correctly. Google will not. LastPass caches your encrypted passwords on their server and syncs them to your multiple browsers. LastPass cannot know your passwords because they are encrypted before they are sent to LastPass. Google will know your passwords. When Google loses your passwords, you will lose everything.

I would argue that 1Password has solve this problem even better by encrypting your passwords and using Dropbox as the mechanism to share them among multiple computers. That way the password service doesn't even have an encrypted copy of your passwords.

If it adds another layer of security to the average user I'm all for it. I already use a combination of KeePass to keep my accounts secure on my PC and Android device and I'll probably keep using it and not go with an all-in-one solution.

It might require more manual operations to authenticate, but I'm used to it.

no mention of keepass (http://www.keepass.info) which is an open source password manager that can also generate passwords given any password requirements?

No mention of Post-It (tm) notes either? While we're mentioning every single possible product that someone might store passwords so that they can use a brain cell or two to remember their phone number, let's make sure we include the time honored favorite, right?

LastPass caches your encrypted passwords on their server and syncs them to your multiple browsers. LastPass cannot know your passwords because they are encrypted before they are sent to LastPass.

Exactly the same procedure that Chrome does when you sync passwords

KWE wrote:

Google will know your passwords. When Google loses your passwords, you will lose everything. Google will lose nothing. Google will never be able to figure out how to "change all your passwords". With LastPass, you never need to.

I'm already using this to generate some pseudo random passwords and this seems like basically the same approach just better integrated (well the first part that is, I really don't like the second part - I use more than one browser after all and would like them to continue working).

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

You're a senior IT reporter at ars, and you've never heard of GRC.com?

Seriously?

Are you being sarcastic? Get off your high horse. GRC is hardly the only place to generate long / secure machine passwords (and GRC's cache is with something else, you know, SPINRITE, but oh, you should know that since you know everything).

Semi-sarcastic, but more resigned to the fact that standards are falling everywhere. For good or bad - every 'nerd' worth his salt knows of that infamous site.

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

I LOL'ed when I saw this on GRC's page: "Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection..."

GRC has a long and... complicated... history in the industry.

Explain please. Is it or is it not a legit site? Steve Gibson seems like he knows his shit. But if you know otherwise, please inform the class.

It's a legit site - just take things there with a grain of salt. Steve Gibson has been involved in more than one security controversy over the years. Check Wikipedia or just Google around to find a little of his history.

The SSL LOL was a reference to several recent articles regarding the insecurity of SSL. I would think that a security expert like Gibson would avoid using wording as definitive as "snoop-proof" and "proxy-proof". Not the kind of language an expert would use (IMO).

That is a very cool site! Thanks for pointing it out. I use 1Password but may change up a few of my critical passwords using this tool.

I LOL'ed when I saw this on GRC's page: "Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection..."

GRC has a long and... complicated... history in the industry.

Explain please. Is it or is it not a legit site? Steve Gibson seems like he knows his shit. But if you know otherwise, please inform the class.

It's definitely legit, and Gibson does know his stuff. The problem is that he's a huckster, a used car salesman of the software world. His software works great for what it actually can do, but his websites always play up the fear angle, then promise that his products can perform miracles and prevent anything bad from happening, with very fine print stating that he isn't responsible if they can't actually do any of the things promised. He has long claimed Spinrite will massively extend the life of any disk and can resuscitate a dead disk; any disk recovery maker will tell you that even a simple chkdsk will further erode your chances of even getting anything off with professional recovery.

It's the same way diet websites work: Prey on someone's insecurity and then sell them the magic tonic to fix it.

He has long claimed Spinrite will massively extend the life of any disk and can resuscitate a dead disk; any disk recovery maker will tell you that even a simple chkdsk will further erode your chances of even getting anything off with professional recovery.

I met a client recently who was actually still using Spinrite on their Windows 7 machines whenever the system was "acting up". I had no idea that product was still being sold, never mind that anyone still bought it!

I refuse to allow Chrome to store my passwords until they add a master password functionality. Unfortunately, the Chromium team currently refuses to do so because "it's inherently insecure" or some bullshit like that, due to the fact that you could have a keylogger on your PC, which invalidates the whole thing. Really? THAT is why you're refusing a higher level of security? Holy fuck, just add in a virtual keyboard and be done with it! But noooo...

Well, I'm dubious. In my ignorance, I always thought that when I told a browser to save a password, it saved it locally. I don't want my passwords stored on a Google site, nor Google responsible for them. I might be up for this approach from some other vendor which wasn't so pervasively tracking me.

Two weeks ago, I was looking at Nuance products for the Mac. Last week, when I went to a website, the lead ad, in bright orange, was "Still interested in Dragon Dictate for the Mac? Buy it now for 10% off!" I was rather freaked out. The next day, on the Smithsonian site, the same ad appeared in the lead position.

I don't know if this was the result of Google Search (probable) or my Chrome browsing history (possible), but (particularly in light of Google's new integration of information from all products) I'm in the process of changing to Duck, Duck, Go for search and Safari for browser. [Yes, I know, Google has subverted the Safari security provisions, but I expect that to be fixed promptly.]

And I didn't click on the ad; I never click on any web ad - I'd rather pay the extra $20. I have the sneaking suspicion that Google ads are like the Jehovah's Witnesses; even polite recognition of their existence is taken as encouragement, and you'll never be rid of them. I absolutely refuse to reinforce their behavior.

LastPass has already solved this correctly. Google will not. LastPass caches your encrypted passwords on their server and syncs them to your multiple browsers. LastPass cannot know your passwords because they are encrypted before they are sent to LastPass. Google will know your passwords. When Google loses your passwords, you will lose everything.

I imagine Google would do it the same way Lastpass does and store it in your local Google profile and sync it with their servers. This means that passwords would be available regardless of whether you were online or not and if Google were to suddenly go offline one day, you'd have a local password file on every computer available.

It's a much better way of doing it, it keeps the encrypting/decrypting task off their servers. Decrypting/encrypting a few passwords a day is easy for a computer to handle. Servers having to handle billions a day would have some monetary cost, avoiding it would save google money.

That's how I look at every password service. Do they have a financial benefit in keeping all my data secure? If yes, I put a level of trust in them. The fact that Lastpass need to keep it up to keep my annual premium bill coming through means that I expect they have several rather good engineers keeping things together.